To Catch a Cyber Thief
Stratfor, 3 June 2016

Forecast

South Africa’s Standard Bank, so far the only institution to come forward as a victim of fraudulent withdrawals by an organized network, will not be able to recoup all of its $12.7 million in losses.

Arresting the street criminals associated with unlimited operations will do little to stop future strikes, which will continue until the hackers behind the heist are found and detained.

Nevertheless, authorities will likely apprehend the hackers behind the latest unlimited operation in Japan, though it may take years.

In the early hours of May 15, hundreds of people withdrew millions of dollars from more than 1,000 ATMs throughout Japan using fraudulent information. KATAMAKURA/Wikimedia.

Analysis

Financial institutions face a growing list of cyberthreats that can detract from the bottom line. And increasingly, cybercrime and street crime are finding common ground. In the early hours of May 15, more than 100 individuals used fraudulent financial information to make nearly 14,000 withdrawals from ATMs at 1,400 7-Eleven convenience store locations scattered throughout Japan, according to Japanese police. As a result, South Africa’s Standard Bank suffered $12.7 million in losses, though its individual customers did not lose any money. This suggests that the heist was not a case of widespread identity theft but rather a more sophisticated form of electronic intrusion known as an unlimited operation.

Unlimited Operations

Before the incident in Japan, criminals had pulled off four major unlimited operations since 2007. Over the years, the attacks have become more ambitious, progressing from a $5 million caper in 2007 to a $55 million operation that spanned two years from 2011 to 2013. Regardless of the size of the operation, they all follow the same basic plan.

In unlimited operations, a small group of hackers deploys street criminals to help exploit vulnerabilities in the banking system. First, intruders gain access to the bank or third-party servers that process ATM transactions. Once in the server, the hackers create credentials that allow them access to unlimited account values. They then recruit intermediaries to fabricate access cards and make withdrawals. As the intermediaries, known as “cashiers,” make their withdrawals, the hackers can monitor account transaction activity through the ATM processing servers.

After the operation is finished, cashiers retain a cut of the proceeds and send the rest to the hackers. The crimes are remarkable in their collaborative aspect: Neither the hackers nor their accomplices on the ground could execute the operation alone. And by teaming up with street criminals, the technical masterminds are better able to evade capture and plan future strikes.

Limited Similarities

So far, details from the Japanese case support this model. Like previous unlimited operations, it targeted a bank — and not its customers — and employed scores of people to withdraw millions of dollars from thousands of ATMs in a matter of hours. But the Japanese case differs from the other operations in two notable ways. For one, the latest incident was more geographically focused. In three of the earlier cases, leaders distributed fraudulent account information to cashiers around the world; the two-year operation, linked to a Turkish hacker, Ercan Findikoglu, spread across 26 countries, including Japan.

Although Japan is the only country so far connected with the latest case, this could change. In the previous cases, investigators worked for years to uncover the extent of the crimes. Furthermore, the May operation could have hit other banks that have not yet come forward. After all, Japanese authorities waited a week before making this case public. Japan and South Africa are relatively soft targets for an unlimited operation since neither has fully implemented the more secure chip-and-pin electronic payment system. Without chip-and-pin technology, thieves can overwrite account information on a credit card’s magnetic strip, a tactic that prior operations relied upon.

Compared with past unlimited operations, the Japan case was better coordinated. Though not the most lucrative, it has been the most efficient strike to date. Cashiers withdrew $12.7 million in just three hours, at an average rate of one withdrawal every 1 minute, 20 seconds. Such a large, fast-paced operation required substantial planning and choreography to ensure that operatives did not overlap at ATMs and cause delays or cash shortages. In addition, the perpetrators staged the operation early on a Sunday morning, thereby reducing the risk that they would be noticed. On the virtual and physical ends alike, the Japan heist appears to be the work of painstaking professionals.

But there is good news for Japan and South Africa. However advanced the technique, an unlimited operation is not a perfect crime. Each of the preceding operations has been solved. The hackers and cashiers who executed them face serious charges and sentences; in March, Findikoglu pleaded guilty to multiple U.S. federal criminal charges. Authorities around the world have seized millions of dollars in assets to repay money stolen in unlimited operations.

In the latest case, Japanese police have already caught two cashiers in Aichi prefecture, and ATM camera footage should help identify more. Meanwhile, large deposits in yen should trigger international money laundering protocols — eventually, the money has to go somewhere. The U.S. Secret Service detained a gang of cashiers from a New York operation after one of them made a large deposit in $20 bills at a Miami bank.

Just the Beginning

Even so, no matter how much authorities seize in assets, it is unlikely that South Africa’s Standard Bank will ever retrieve the full $12.7 million it lost. Moreover, unless further investigations implicate U.S. banks or servers in the operation, the FBI and Secret Service, which led the investigation and prosecution of previous operations, will not have jurisdiction in this case. In fact, to assist the affected parties at all, U.S. law enforcement would need cooperation from local authorities. The United States has a strong working relationship with Japan, but South Africa is a more likely source for clues that would lead to the hackers.

And if the perpetrators are as meticulous and coordinated in laundering the money as they were in withdrawing it, they could well leave a cold trail. Earlier this year, $81 million disappeared after an intrusion into Bangladesh’s central bank, and investigators lost the trail in a web of Philippine casinos. By comparison, $12.7 million seems a manageable sum.

Based on the timeline of past unlimited operations, the details of this crime will take a long time to emerge. As long as the perpetrators remain free, they can conduct additional operations, even if surveillance video or suspicious deposits lead Japanese authorities to the cashiers. The real prize for law enforcement in this case is the hacker (or hackers) who made the whole operation possible. It took the international community four years to track down Findikoglu. For his successor, this might be just the beginning of a string of rip-offs.

About Stratfor

Founded in 1996, Stratfor provides strategic analysis and forecasting to individuals and organizations around the world. By placing global events in a geopolitical framework, we help customers anticipate opportunities and better understand international developments. They believe that transformative world events are not random and are, indeed, predictable. See their About Page for more information.